Ask the Expert-Stefano Ortolani

We are launching a new series of interviews with Kaspersky Lab experts enquiring their opinion regarding cyber-security industry and related threats. Here, Dr. Stefano Ortolani tells us about the importance of programming and other special skills needed to become an expert in the cyber security industry. His research interests comprise intrusion detection, malware analysis, systems security, and communications privacy.

1)What would you say is the main reason for students to study information security?

Quite the difficult question this one. I would say because it teaches how to control and trust the digital environment we all live in, and thus also steer its further development. Let me explain it a bit further: we all know that too many times security details are currently overlooked and thus private details are still exposed. Nevertheless, we perfectly know that giving up a bit of privacy is what makes the technology around us so useful and entertaining to use (e.g., Facebook). I think that studying information security is a perfect way to explore ways to keep this tradeoff acceptable.

2) How do educational institutions keep up with the IT sector? IT develops at such a rate that surely it’s difficult to give students materials that are still relevant.

The fact that IT develops at a fairly high rate is indeed true. However we shall not forget that the concepts which IT is built upon do not change as frequently. Cryptography, privacy, network security are all concepts that are well-established, and in fact already taught in many courses. Nevertheless, it is true that for many advanced topics (either because more research-oriented or more dependent on recent technologies) the require effort to prepare up-to-date materials is not that trivial. I personally like the approach adopted by some universities in the North of Europe: the more advanced a course is, the more it requires students to be an active part of it by, for instance, reading and writing research papers. We shall not forget, in fact, that education is supposed to teach methods rather than technologies.

3)Just how long-term do you think the current high demand for information security specialists will be?

I do not see any notable change short-term. There are multiple reasons for this: first off, just recently companies and governmental agencies are recognizing the need for security experts (my only fear is that those positions will be covered by people not sufficiently qualified). Second, we shall remember that the need of security professional is proportional to both the number of devices deployed, and the amount of information we want to protect: both are bound to increase as we enter the era of Internet of Things. Third, even standard mechanical devices are becoming more and more electronic, and because of this, becoming susceptible to unauthorized tampering, which makes my previous observation even stronger.4) Is a good knowledge of mathematics and programming essential for a student interested in studying information security?

Some fundamentals are essential. Especially programming is of prominent importance if we were to really understand what secure systems are, and what can be actually done to make them such. At the same time, mathematics knowledge, or better, a mathematical mindset, is what is needed to design, test, and evaluate future technology developments. Proof of robustness of many privacy-preserving techniques are due to some mathematical frameworks. But we do not need to go that far: think for instance of TLS. TLS is a protocol that ensures confidentiality, integrity, and authentication between to parties. The actual reason why that is possible is because factorizing primes is a mathematical problem that can not be efficiently solved.

5)Are there any cyber-threats that specifically target students and educational institutions?

Unfortunately yes, although not specifically. Just recently, Kaspersky Lab unveiled NetTraveler, a cyber-espionage campaign that has successfully compromised more than 350 high profile victims in 40 countries. The victims included scientific research centers and institutes, universities, but also private companies. Higher education institutes are particularly vulnerable because, unlike banks or other typical targets, their network access tend to be more open and less regulated.

6)Which course would be most suitable for students – not just those specializing in information security – who want to learn about information security? What would need to be included in such a course?

Two options come to mind. A course on cryptography and one on binary analysis. While the first is now essential to fully understand how our world is able to safely rely on secure financial transaction (and we do that every time we buy something on-line), the second enables the student to fully understand what really happens when a program executes and also how it can be exploited by another malicious program (a subject of prominent importance in the information security world).

7)Have you noticed a shift towards consumerism in IT education where students (with the exception of specialist faculties) are learning to use applications, but not learning to program and understand the technology?

A partial one, yes. Luckily, this is also how we can tell apart good and bad IT education. Bad IT education will always attempt to lure students by advertising programs featuring last technology applications (think for instance of a course about iPhone programming). Good IT education will rather focus on the underlying paradigm, for instance “how to write secure mobile applications”. Conversely, a good security program will likely try to teach the fundamentals of cryptography and only afterword its applications. A bad security program will instead try to focus on some recent threat and/or security buzzword.